Skip to content

Legal

Privacy Policy

Effective: June 2, 2026

Milestone (“we,” “our,” or “us”) operates the Milestone desktop application and the website at milestone-app.com. This Privacy Policy explains what data we collect, how we use it, where it lives, and your rights regarding that data. We are based in Tel Aviv, Israel.

The project content you create - your tasks, decisions, conventions, notes, and knowledge graph - is stored on our servers, hosted on Amazon Web Services (AWS), and cached on your device so the desktop app keeps working offline. When you run an AI session, the context you choose is sent to the AI provider that powers it. The sections below explain what we collect and who processes it.

1. Data We Collect

  • Account information - name and email address you provide when you sign up.
  • Early-access and website data - if you request early access on our website, we collect the email address you submit, plus basic product-analytics events (such as pages viewed and buttons clicked), via PostHog.
  • Usage data - in-app feature interactions and session metadata, collected via PostHog, to help us understand and improve the product.
  • Error and crash reports - stack traces and device metadata, collected via Sentry, to help us fix bugs.
  • Billing information - handled by Paddle, our merchant of record. Paddle collects the payment and billing details needed to process your purchase and applicable taxes. We never receive or store full card numbers.
  • Connected integrations - if you connect a service such as GitHub, we process the repository or project content you choose to bring into Milestone, at your direction.
  • Project content you create - tasks, decisions, conventions, notes, and knowledge-graph data. This is yours. It is stored on our servers (hosted on AWS) and cached on your device for offline use.

2. AI Sessions and How Your Content Is Processed

When you run an AI session in Milestone, the prompts you write and the project context you choose to include (for example, files or repository content) are sent to the AI provider that powers it so the model can generate a response. Claude Code runs locally on your device and communicates directly with Anthropic - Milestone does not route those prompts through its own servers. For AI features that Milestone operates itself, we send the context you choose to OpenAI. You control what context each session includes.

That processing is governed by the AI provider's terms. We do not use your prompts, project content, or knowledge-graph data to train AI models. Anthropic and OpenAI both state that they do not use data submitted through their APIs to train their models. Other AI integrations are on our roadmap; when added, the provider you use will process your session content under its own terms.

3. How We Use Your Data

  • To operate, maintain, and improve Milestone.
  • To process payments and provide billing support (via Paddle).
  • To send transactional and product emails (you can unsubscribe from non-essential messages at any time).
  • To diagnose and fix errors.
  • To prevent abuse and enforce our Terms of Service.
  • To comply with legal obligations.

We do not sell your personal data, and we do not share it for cross-context behavioral advertising. We do not use your project content to train AI models.

Where the GDPR applies, we rely on these legal bases: performance of our contract with you (to provide the Service and process billing); your consent (for non-essential analytics and marketing emails, which you may withdraw at any time); and our legitimate interests in operating, securing, and improving the Service. We do not carry out automated decision-making that produces legal or similarly significant effects on you.

4. Where Your Data Lives and How We Protect It

Your project content and knowledge graph are stored on our servers, hosted on Amazon Web Services (AWS) in the United States (us-east-1), and cached on your device for offline use. We protect data in transit with TLS and at rest with industry-standard encryption, and we restrict access to personnel who need it to do their job.

The account, billing, analytics, and error data described above is also held by the third-party providers listed in Section 8, each of which maintains its own technical and organisational security measures.

5. International Data Transfers

We are based in Israel, which the European Commission has recognised as providing an adequate level of data protection. Some of our providers (for example, AWS, Anthropic, OpenAI, PostHog, Paddle, and Sentry) may process data in the United States or other countries. Where required, those transfers rely on Standard Contractual Clauses approved by the European Commission, the EU–US Data Privacy Framework, or another lawful transfer mechanism.

6. Data Retention

We retain account data for as long as your account is active. After you delete your account, we remove your personal data from our records and instruct our providers to do the same within 30 days, except where we are required to retain it by law (for example, tax records held by Paddle). When you delete your account, we delete your project content and knowledge graph from our servers, and the local cache is cleared from your device.

7. Your Rights (GDPR / UK GDPR / CCPA)

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time, without affecting prior processing.
  • Not be discriminated against for exercising your rights (CCPA).

To exercise any of these rights, email privacy@milestone-app.com. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data protection authority.

8. Third-Party Providers

We rely on the following providers to deliver the Service. Each processes only the data needed for its function. The full processor list and our Data Processing Agreement are available here.

  • Amazon Web Services (AWS) - cloud hosting and storage for your account, project content, and knowledge graph.
  • Anthropic - AI model processing (Claude Code), for AI sessions you run.
  • OpenAI - AI model processing for in-app AI features.
  • Paddle - merchant of record: payment processing, billing, invoicing, and tax.
  • PostHog - product analytics (US cloud).
  • Google (Google Tag Manager / Google Analytics) - website product analytics.
  • Sentry - error and crash monitoring.

9. Cookies

On our website, PostHog sets a first-party analytics identifier and Google Analytics (loaded via Google Tag Manager) sets its own analytics cookies, so we can measure product interest and improve the page. These load only after you accept analytics cookies; PostHog is configured to profile only identified users. The desktop app uses a session token to keep you signed in. We do not use advertising cookies or third-party advertising pixels.

10. Children

Milestone is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to This Policy

We will notify you by email at least 14 days before any material change to this policy. Continued use of Milestone after the effective date constitutes acceptance of the updated policy.

12. Contact

Questions? Email privacy@milestone-app.com or write to: Milestone, Tel Aviv, Israel.